Monday, June 27, 2011

Working with OWSM Policies – Part 1 of some

In this post I discuss the available options to work with OWSM (Oracle Web Services Manager) policies in JDeveloper and Enterprise Manager. OWSM is a component available along with the Oracle SOA Suite and provides policy enforcement point (PEP) agents for SOAP-based messages.

Typically, a service policy is attached to a service endpoint to enforce some pre-defined rules (like enforcing a SAML token, Kerberos token, message confidentiality, SSL, etc). And a corresponding client policy is attached to the client in order to transform the outgoing SOAP message, making it suitable to be enforced in the server side.

OWSM Policies in JDeveloper


OWSM supports two types of repositories for its policy files: file system or database.
When working with JDeveloper, you can choose which one you want to use.
By default, JDeveloper reads policies from the file system. To check that out, go to Tools –> Preferences –>WS Policy Store (on left).

image

The File Store Default Location refers to DefaultDomain oracle/store/gmds directory under $JDEV_USER_DIR’s systemxx.x.x.x.xx.xx.xx folder. Policies are under owsm/policies and assertions are under owsm/assertiontemplates.

Friday, June 17, 2011

Oracle Identity Manager Academy from the Fusion Security Blog

Index to the Oracle Identity Manager Series from the Fusion Security Blog Team

OIM 11g is the current release of the Oracle provisioning tool, this post is to be used as basis for all the other OIM related posts in this blog. Through the posts we try to help OIM customers and developers by things like giving technical and architectural recommendations, discussing specific implementation topics and their caveats, giving tips about problems we face in our daily work and much more.

OIM Concepts

OIM Tips & Examples

OIM & SOA

OIM & LDAP Synch

OIM Integration

 Patches and Patching

Tuesday, June 14, 2011

Oracle Entitlements Server 11g launch party!

OK, well maybe party isn't the right word, but there is a launch event:

We will be offering a live launch webcast featuring Roger Wigenstam from Oracle and Swapnil Mehta from SENA systems on Jul 14 at 10 am PT. The webcast is titled “Introducing Oracle Entitlements Server 11g” . During this webcast we will cover what’s new in Oracle Entitlements Server 11g in addition to recommendations for planning a real world deployment for externalizing authorization from apps.
Roger is a Product Manager at Oracle in charge of OES, OPSS, OWSM and OEG (technically he's a Senior Director of Product Management).

Swapnil is the Director of SENA Systems' Global Access Management Practice. I've worked with him since I went to work at BEA as part of the sales team for OES' predecessor product Aqualogic Entitlements Server.

The product has been improved and enhanced quite dramatically in the 11g release and there's plenty to talk about. This event is basically two really smart guys talking about what's in OES 11g and why we're all pretty excited about the release.

More information on the event is available on the event page.

Those of you that can't make it to the online event can rest assured that I'll be blogging a whole lot more about OES 11g here for both new and existing users of OES!

Monday, June 13, 2011

OIM 11g Event Handlers

Event Handlers are among the most common customizations in OIM 11g implementations. They have been available in OIM for a long time, but with 11g and its new frameworks, they certainly are becoming even more popular.

The most common use of event handlers is for extending the user management operations. Although a variety of business requirements can be achieved through custom event handlers, they must be used with care and with focus on the performance impact they may bring to OIM transactions.

The main types of Event Handlers are:

Thursday, June 9, 2011

Using OIM 11g APIs in Fusion Web Applications


Introduction


The purpose of this article is to describe the setup needed to build ADF/Fusion Web Applications using JDeveloper that make use of OIM 11g new API's and Services.


Overview

I have encountered many users that are trying to develop applications using the OIMClient classes and face the following Exception:

Can't find wsdl /wsdls/wsat11/wstx-wsat-1.1-wsdl-200702.wsdl
at weblogic.wsee.deploy.WSEEModule.prepare(WSEEModule.java:146)
at weblogic.wsee.deploy.AppDeploymentExtensionFactory.prepare(AppDeploymentExtensionFactory.java:147)
at weblogic.wsee.deploy.AppDeploymentExtensionFactory.access$100(AppDeploymentExtensionFactory.java:27)
at weblogic.wsee.deploy.AppDeploymentExtensionFactory$1.prepare(AppDeploymentExtensionFactory.java:427)
at weblogic.application.internal.flow.AppDeploymentExtensionFlow.prepare(AppDeploymentExtensionFlow.java:23)
Truncated. see log file for complete stacktrace

This happens when trying to deploy the ADF application to a WebLogic Managed Server within a domain. This unfortunately is not documented anywhere and many customers have been very frustrated looking for answers. So here it is.


Solution


The problem is due to a conflict with the class loading of wlfullclient.jar and oimclient.jar. The latter is needed for your OIM code to compile properly. So the solution to the problem is to simply add wlfullclient.jar and oimclient.jar to the lib directory of your domain (i.e. OFMW_HOME/user_projects/domains/myDomain/lib) and you must exclude oimclient.jar from the deployment profile that creates your EAR file and the WAR inside it. Make sure you remove these dependencies in the ViewController project which is the one that creates the WAR file Application Module.

Deploy your application to an EAR file first so you can check that no references to oimclient.jar nor wlfullclient.jar are in the WAR file. JDeveloper lets you look at that by clicking on the link to the generated EAR file provided in the Deployment window at the bottom. Double click the _ViewController_webapp1.war file to look at the content and the included libraries. Make sure there are no references to either oimclient.jar nor wlfullclient.jar.

If you try to deploy this archive using Weblogic's Console it should deploy just fine and when you activate the changes no exceptions about missing wsdls will be thrown.






Wednesday, June 8, 2011

Oracle Identity and Access Management patches are available NOW



flowers on my Kousa Dogwood tree
Each Spring I look forward to seeing my Kousa Dogwood tree bloom. The white flowers are beautiful in a way that pictures really can't convey and it's one of those things that cheers me up after the cold New England winter.


"Dogwood" also happens to be the code name for the Oracle Identity and Access Management product set and, like the flowers on my actual Dogwood tree, there's something pretty exciting happening to this Dogwood this spring.

Earlier today the press release went out announcing the availability second in a series of Dogwood releases. The first release, 11g R1 (version 11.1.1.3.0), came out in July 2010 and included the first 11g releases of Oracle Identity Manager, Oracle Access Manager, and Oracle Adaptive Access Manager. This release, known as 11g R1 PS1 (say that 3 times fast!) or as version 11.1.1.5.0 includes some pretty dramatic new features and functionality for the 11g R1 products and includes the first 11g release of Oracle Entitlements Server.


We all want to extend a well deserved congratulations to the product teams on a job well done. We haven't been able to speak publicly about the internal betas and release candidates, but now that we can we get to say that engineering did a really good job extending the reach of the existing products and in creating an initial 11g release of OES that fits well with the rest of the product set.

There are a whole bunch of products in the Identity Management suite and though their names are pretty obvious to us inside the company we know it can be confusing the first time you encounter them. So I thought it might be a good idea to try to provide a list of the products and to sum up each product's purpose in a single sentence.

The products in the Identity Management suite are currently broken into two separate release trains - the first is Identity Management and the second is Identity and Access Management.

The Identity Management (IdM) products are:
  • Oracle Internet Directory - an enterprise-scale LDAP directory that stores its data in Oracle Database
  • Oracle Virtual Directory - a Virtual Directory that aggregates data from multiple sources (LDAP, Active Directory, databases and custom stores) and exposes it all to clients as a single unified LDAP directory.
  • Oracle Identity Federation - a federation server that supports SAML, Liberty ID FF, WS-Federation, OpenID and Infocard. 
The Identity and Access Management (IAM) products are:
  • Oracle Access Manager - provides web Single Sign-On and access management
  • Oracle Adaptive Access Manager - provides real time fraud detection and risk scoring plus web based strong authenticators
  • Oracle Identity Manager - automates user and account management, provides self-service account tools and will automatically provision accounts to other systems, like LDAP and applications, based on workflow administrators define.
  • Oracle Identity Navigator - a sort of portal providing a single place to go to access the consoles for all of the other IAM products.
The IAM products also include these new additions:
  • Oracle Entitlements Server - allows you to remove the authorization decision logic from your code and instead manage fine grained authorization policies centrally.
  • Oracle Secure Token Service - allows you to take one security token and exchange it for another to support identity propagation in your SOA architecture. For example you might present the STS with a Single Sign-On cookie and request a SAML Assertion in exchange.
You can find more information about all of these products from the Identity Management products page at Oracle.com.

You can expect more posts on the new features over the coming month or so as we finally get to play with and talk about the final release.

Once again congratulations to the product teams!

Thursday, June 2, 2011

Error when running the migrationUtil to upgrade to OAM 11.1.1.5

In one of my test VMs I have IAM 11g R1 installed and am upgrading to Patch Set 1 (PS1), also known as 11.1.1.5. In the upgrade process (which I'll be blogging about later) I ran into a problem running migration util.

When you run the migration utility it exports all of the objects in your OAM store to a compressed and encrypted file. The tool, run from the command line, connects to the WebLogic Server and iterates through all of the objects. I've been using this environment for a while and have added and deleted authentication schemes, user directories and basically every other object possible. In doing so I managed to get the environment into a perfectly operable state which the migration utility doesn't like.

On the migration utility site I see this stack trace:

Jun 1, 2011 6:17:44 PM com.sun.corba.se.impl.encoding.CDRInputStream_1_0 read_value
WARNING: "IOP00810257: (MARSHAL) Could not find class"
org.omg.CORBA.MARSHAL:   vmcid: SUN  minor code: 257 completed: Maybe
        at com.sun.corba.se.impl.logging.ORBUtilSystemException.couldNotFindClass(ORBUtilSystemException.java:8260)
        at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_value(CDRInputStream_1_0.java:1013)
        at com.sun.corba.se.impl.encoding.CDRInputStream.read_value(CDRInputStream.java:253)
        at com.sun.corba.se.impl.io.IIOPInputStream.inputObjectField(IIOPInputStream.java:1995)
        at com.sun.corba.se.impl.io.IIOPInputStream.inputClassFields(IIOPInputStream.java:2220)
        at com.sun.corba.se.impl.io.IIOPInputStream.inputObject(IIOPInputStream.java:1227)

Which isn't particularly helpful. On the WebLogic Server side I got this error which IS helpful:

<Jun 1, 2011 6:17:44 PM EDT> <Error> <oracle.oam.t2p> <OAM-22023> <Error while setting the default authentication scheme: {0}
java.lang.NullPointerException
        at oracle.security.am.t2p.MigrationMXBeanImpl.copyPolicy(Unknown Source)
        at oracle.security.am.t2p.MigrationMXBeanImpl.fetchPolicyConfiguration(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
Which, as you would expect, means that none of the Authentication Schemes are marked as the default scheme. To fix the problem you need only open up the OAM Console, navigate to the LDAPscheme Authentication Schemes and click the "set as default" button.

Wednesday, June 1, 2011

Problems with hosts file and "TNS:could not resolve the connect identifier specified"

If you update your hosts file as I described in a recent post to disassociate 127.0.0.1 with your host name you may get an error when you try to spin up anything using the database "TNS:could not resolve the connect identifier specified".

This is not technically a middleware problem - it's a problem with the database. But if you're like me you're probably not a database expert and won't know how to fix it.

So here's how to fix it...